]> bbs.cooldavid.org Git - net-next-2.6.git/blame - security/selinux/hooks.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SELinux: allow fstype unknown to policy to use xattrs if present
[net-next-2.6.git] / security / selinux / hooks.c
CommitLineData
1da177e4
LT		 1/*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
828dfe1d
EP		 7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
1da177e4
LT		 10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
828dfe1d 14 * <dgoeddel@trustedcs.com>
effad8df 15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
828dfe1d 16 * Paul Moore <paul.moore@hp.com>
788e7dd4 17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
828dfe1d 18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
1da177e4
LT		 19 *
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
828dfe1d 22 * as published by the Free Software Foundation.
1da177e4
LT		 23 */
24
1da177e4
LT		 25#include <linux/init.h>
26#include <linux/kernel.h>
27#include <linux/ptrace.h>
28#include <linux/errno.h>
29#include <linux/sched.h>
30#include <linux/security.h>
31#include <linux/xattr.h>
32#include <linux/capability.h>
33#include <linux/unistd.h>
34#include <linux/mm.h>
35#include <linux/mman.h>
36#include <linux/slab.h>
37#include <linux/pagemap.h>
38#include <linux/swap.h>
1da177e4
LT		 39#include <linux/spinlock.h>
40#include <linux/syscalls.h>
41#include <linux/file.h>
9f3acc31 42#include <linux/fdtable.h>
1da177e4
LT		 43#include <linux/namei.h>
44#include <linux/mount.h>
1da177e4 45#include <linux/proc_fs.h>
1da177e4
LT		 46#include <linux/netfilter_ipv4.h>
47#include <linux/netfilter_ipv6.h>
48#include <linux/tty.h>
49#include <net/icmp.h>
227b60f5 50#include <net/ip.h> /* for local_port_range[] */
1da177e4 51#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
220deb96 52#include <net/net_namespace.h>
d621d35e 53#include <net/netlabel.h>
f5269710 54#include <linux/uaccess.h>
1da177e4 55#include <asm/ioctls.h>
d621d35e 56#include <asm/atomic.h>
1da177e4
LT		 57#include <linux/bitops.h>
58#include <linux/interrupt.h>
59#include <linux/netdevice.h> /* for network interface checks */
60#include <linux/netlink.h>
61#include <linux/tcp.h>
62#include <linux/udp.h>
2ee92d46 63#include <linux/dccp.h>
1da177e4
LT		 64#include <linux/quota.h>
65#include <linux/un.h> /* for Unix socket types */
66#include <net/af_unix.h> /* for Unix socket types */
67#include <linux/parser.h>
68#include <linux/nfs_mount.h>
69#include <net/ipv6.h>
70#include <linux/hugetlb.h>
71#include <linux/personality.h>
72#include <linux/sysctl.h>
73#include <linux/audit.h>
6931dfc9 74#include <linux/string.h>
877ce7c1 75#include <linux/selinux.h>
23970741 76#include <linux/mutex.h>
1da177e4
LT		 77
78#include "avc.h"
79#include "objsec.h"
80#include "netif.h"
224dfbd8 81#include "netnode.h"
3e112172 82#include "netport.h"
d28d1e08 83#include "xfrm.h"
c60475bf 84#include "netlabel.h"
9d57a7f9 85#include "audit.h"
1da177e4
LT		 86
87#define XATTR_SELINUX_SUFFIX "selinux"
88#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89
c9180a57
EP		 90#define NUM_SEL_MNT_OPTS 4
91
1da177e4
LT		 92extern unsigned int policydb_loaded_version;
93extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
4e5ab4cb 94extern int selinux_compat_net;
20510f2f 95extern struct security_operations *security_ops;
1da177e4 96
d621d35e
PM		 97/* SECMARK reference count */
98atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
1da177e4 100#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
828dfe1d 101int selinux_enforcing;
1da177e4
LT		 102
103static int __init enforcing_setup(char *str)
104{
f5269710
EP		 105 unsigned long enforcing;
106 if (!strict_strtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
1da177e4
LT		 108 return 1;
109}
110__setup("enforcing=", enforcing_setup);
111#endif
112
113#ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116static int __init selinux_enabled_setup(char *str)
117{
f5269710
EP		 118 unsigned long enabled;
119 if (!strict_strtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
1da177e4
LT		 121 return 1;
122}
123__setup("selinux=", selinux_enabled_setup);
30d55280
SS		 124#else
125int selinux_enabled = 1;
1da177e4
LT		 126#endif
127
128/* Original (dummy) security module. */
828dfe1d 129static struct security_operations *original_ops;
1da177e4
LT		 130
131/* Minimal support for a secondary security module,
132 just to allow the use of the dummy or capability modules.
133 The owlsm module can alternatively be used as a secondary
134 module as long as CONFIG_OWLSM_FD is not enabled. */
828dfe1d 135static struct security_operations *secondary_ops;
1da177e4
LT		 136
137/* Lists of inode and superblock security structures initialized
138 before the policy was loaded. */
139static LIST_HEAD(superblock_security_head);
140static DEFINE_SPINLOCK(sb_security_lock);
141
e18b890b 142static struct kmem_cache *sel_inode_cache;
7cae7e26 143
d621d35e
PM		 144/**
145 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146 *
147 * Description:
148 * This function checks the SECMARK reference counter to see if any SECMARK
149 * targets are currently configured, if the reference counter is greater than
150 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
151 * enabled, false (0) if SECMARK is disabled.
152 *
153 */
154static int selinux_secmark_enabled(void)
155{
156 return (atomic_read(&selinux_secmark_refcount) > 0);
157}
158
1da177e4
LT		 159/* Allocate and free functions for each kind of security blob. */
160
161static int task_alloc_security(struct task_struct *task)
162{
163 struct task_security_struct *tsec;
164
89d155ef 165 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
1da177e4
LT		 166 if (!tsec)
167 return -ENOMEM;
168
0356357c 169 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 170 task->security = tsec;
171
172 return 0;
173}
174
175static void task_free_security(struct task_struct *task)
176{
177 struct task_security_struct *tsec = task->security;
1da177e4
LT		 178 task->security = NULL;
179 kfree(tsec);
180}
181
182static int inode_alloc_security(struct inode *inode)
183{
184 struct task_security_struct *tsec = current->security;
185 struct inode_security_struct *isec;
186
a02fe132 187 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
1da177e4
LT		 188 if (!isec)
189 return -ENOMEM;
190
23970741 191 mutex_init(&isec->lock);
1da177e4 192 INIT_LIST_HEAD(&isec->list);
1da177e4
LT		 193 isec->inode = inode;
194 isec->sid = SECINITSID_UNLABELED;
195 isec->sclass = SECCLASS_FILE;
9ac49d22 196 isec->task_sid = tsec->sid;
1da177e4
LT		 197 inode->i_security = isec;
198
199 return 0;
200}
201
202static void inode_free_security(struct inode *inode)
203{
204 struct inode_security_struct *isec = inode->i_security;
205 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
206
1da177e4
LT		 207 spin_lock(&sbsec->isec_lock);
208 if (!list_empty(&isec->list))
209 list_del_init(&isec->list);
210 spin_unlock(&sbsec->isec_lock);
211
212 inode->i_security = NULL;
7cae7e26 213 kmem_cache_free(sel_inode_cache, isec);
1da177e4
LT		 214}
215
216static int file_alloc_security(struct file *file)
217{
218 struct task_security_struct *tsec = current->security;
219 struct file_security_struct *fsec;
220
26d2a4be 221 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
1da177e4
LT		 222 if (!fsec)
223 return -ENOMEM;
224
9ac49d22
SS		 225 fsec->sid = tsec->sid;
226 fsec->fown_sid = tsec->sid;
1da177e4
LT		 227 file->f_security = fsec;
228
229 return 0;
230}
231
232static void file_free_security(struct file *file)
233{
234 struct file_security_struct *fsec = file->f_security;
1da177e4
LT		 235 file->f_security = NULL;
236 kfree(fsec);
237}
238
239static int superblock_alloc_security(struct super_block *sb)
240{
241 struct superblock_security_struct *sbsec;
242
89d155ef 243 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
1da177e4
LT		 244 if (!sbsec)
245 return -ENOMEM;
246
bc7e982b 247 mutex_init(&sbsec->lock);
1da177e4
LT		 248 INIT_LIST_HEAD(&sbsec->list);
249 INIT_LIST_HEAD(&sbsec->isec_head);
250 spin_lock_init(&sbsec->isec_lock);
1da177e4
LT		 251 sbsec->sb = sb;
252 sbsec->sid = SECINITSID_UNLABELED;
253 sbsec->def_sid = SECINITSID_FILE;
c312feb2 254 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
1da177e4
LT		 255 sb->s_security = sbsec;
256
257 return 0;
258}
259
260static void superblock_free_security(struct super_block *sb)
261{
262 struct superblock_security_struct *sbsec = sb->s_security;
263
1da177e4
LT		 264 spin_lock(&sb_security_lock);
265 if (!list_empty(&sbsec->list))
266 list_del_init(&sbsec->list);
267 spin_unlock(&sb_security_lock);
268
269 sb->s_security = NULL;
270 kfree(sbsec);
271}
272
7d877f3b 273static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
1da177e4
LT		 274{
275 struct sk_security_struct *ssec;
276
89d155ef 277 ssec = kzalloc(sizeof(*ssec), priority);
1da177e4
LT		 278 if (!ssec)
279 return -ENOMEM;
280
1da177e4 281 ssec->peer_sid = SECINITSID_UNLABELED;
892c141e 282 ssec->sid = SECINITSID_UNLABELED;
1da177e4
LT		 283 sk->sk_security = ssec;
284
f74af6e8 285 selinux_netlbl_sk_security_reset(ssec, family);
99f59ed0 286
1da177e4
LT		 287 return 0;
288}
289
290static void sk_free_security(struct sock *sk)
291{
292 struct sk_security_struct *ssec = sk->sk_security;
293
1da177e4
LT		 294 sk->sk_security = NULL;
295 kfree(ssec);
296}
1da177e4
LT		 297
298/* The security server must be initialized before
299 any labeling or access decisions can be provided. */
300extern int ss_initialized;
301
302/* The file system's label must be initialized prior to use. */
303
304static char *labeling_behaviors[6] = {
305 "uses xattr",
306 "uses transition SIDs",
307 "uses task SIDs",
308 "uses genfs_contexts",
309 "not configured for labeling",
310 "uses mountpoint labeling",
311};
312
313static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315static inline int inode_doinit(struct inode *inode)
316{
317 return inode_doinit_with_dentry(inode, NULL);
318}
319
320enum {
31e87930 321 Opt_error = -1,
1da177e4
LT		 322 Opt_context = 1,
323 Opt_fscontext = 2,
c9180a57
EP		 324 Opt_defcontext = 3,
325 Opt_rootcontext = 4,
1da177e4
LT		 326};
327
328static match_table_t tokens = {
832cbd9a
EP		 329 {Opt_context, CONTEXT_STR "%s"},
330 {Opt_fscontext, FSCONTEXT_STR "%s"},
331 {Opt_defcontext, DEFCONTEXT_STR "%s"},
332 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
31e87930 333 {Opt_error, NULL},
1da177e4
LT		 334};
335
336#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
337
c312feb2
EP		 338static int may_context_mount_sb_relabel(u32 sid,
339 struct superblock_security_struct *sbsec,
340 struct task_security_struct *tsec)
341{
342 int rc;
343
344 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
345 FILESYSTEM__RELABELFROM, NULL);
346 if (rc)
347 return rc;
348
349 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
350 FILESYSTEM__RELABELTO, NULL);
351 return rc;
352}
353
0808925e
EP		 354static int may_context_mount_inode_relabel(u32 sid,
355 struct superblock_security_struct *sbsec,
356 struct task_security_struct *tsec)
357{
358 int rc;
359 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
360 FILESYSTEM__RELABELFROM, NULL);
361 if (rc)
362 return rc;
363
364 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
365 FILESYSTEM__ASSOCIATE, NULL);
366 return rc;
367}
368
c9180a57 369static int sb_finish_set_opts(struct super_block *sb)
1da177e4 370{
1da177e4 371 struct superblock_security_struct *sbsec = sb->s_security;
c9180a57
EP		 372 struct dentry *root = sb->s_root;
373 struct inode *root_inode = root->d_inode;
374 int rc = 0;
1da177e4 375
c9180a57
EP		 376 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
377 /* Make sure that the xattr handler exists and that no
378 error other than -ENODATA is returned by getxattr on
379 the root directory. -ENODATA is ok, as this may be
380 the first boot of the SELinux kernel before we have
381 assigned xattr values to the filesystem. */
382 if (!root_inode->i_op->getxattr) {
383 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
384 "xattr support\n", sb->s_id, sb->s_type->name);
385 rc = -EOPNOTSUPP;
386 goto out;
387 }
388 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
389 if (rc < 0 && rc != -ENODATA) {
390 if (rc == -EOPNOTSUPP)
391 printk(KERN_WARNING "SELinux: (dev %s, type "
392 "%s) has no security xattr handler\n",
393 sb->s_id, sb->s_type->name);
394 else
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) getxattr errno %d\n", sb->s_id,
397 sb->s_type->name, -rc);
398 goto out;
399 }
400 }
1da177e4 401
c9180a57 402 sbsec->initialized = 1;
1da177e4 403
c9180a57
EP		 404 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
405 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
406 sb->s_id, sb->s_type->name);
407 else
408 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
409 sb->s_id, sb->s_type->name,
410 labeling_behaviors[sbsec->behavior-1]);
1da177e4 411
c9180a57
EP		 412 /* Initialize the root inode. */
413 rc = inode_doinit_with_dentry(root_inode, root);
1da177e4 414
c9180a57
EP		 415 /* Initialize any other inodes associated with the superblock, e.g.
416 inodes created prior to initial policy load or inodes created
417 during get_sb by a pseudo filesystem that directly
418 populates itself. */
419 spin_lock(&sbsec->isec_lock);
420next_inode:
421 if (!list_empty(&sbsec->isec_head)) {
422 struct inode_security_struct *isec =
423 list_entry(sbsec->isec_head.next,
424 struct inode_security_struct, list);
425 struct inode *inode = isec->inode;
426 spin_unlock(&sbsec->isec_lock);
427 inode = igrab(inode);
428 if (inode) {
429 if (!IS_PRIVATE(inode))
430 inode_doinit(inode);
431 iput(inode);
432 }
433 spin_lock(&sbsec->isec_lock);
434 list_del_init(&isec->list);
435 goto next_inode;
436 }
437 spin_unlock(&sbsec->isec_lock);
438out:
439 return rc;
440}
1da177e4 441
c9180a57
EP		 442/*
443 * This function should allow an FS to ask what it's mount security
444 * options were so it can use those later for submounts, displaying
445 * mount options, or whatever.
446 */
447static int selinux_get_mnt_opts(const struct super_block *sb,
e0007529 448 struct security_mnt_opts *opts)
c9180a57
EP		 449{
450 int rc = 0, i;
451 struct superblock_security_struct *sbsec = sb->s_security;
452 char *context = NULL;
453 u32 len;
454 char tmp;
1da177e4 455
e0007529 456 security_init_mnt_opts(opts);
1da177e4 457
c9180a57
EP		 458 if (!sbsec->initialized)
459 return -EINVAL;
1da177e4 460
c9180a57
EP		 461 if (!ss_initialized)
462 return -EINVAL;
1da177e4 463
c9180a57
EP		 464 /*
465 * if we ever use sbsec flags for anything other than tracking mount
466 * settings this is going to need a mask
467 */
468 tmp = sbsec->flags;
469 /* count the number of mount options for this sb */
470 for (i = 0; i < 8; i++) {
471 if (tmp & 0x01)
e0007529 472 opts->num_mnt_opts++;
c9180a57
EP		 473 tmp >>= 1;
474 }
1da177e4 475
e0007529
EP		 476 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
477 if (!opts->mnt_opts) {
c9180a57
EP		 478 rc = -ENOMEM;
479 goto out_free;
480 }
1da177e4 481
e0007529
EP		 482 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
483 if (!opts->mnt_opts_flags) {
c9180a57
EP		 484 rc = -ENOMEM;
485 goto out_free;
486 }
1da177e4 487
c9180a57
EP		 488 i = 0;
489 if (sbsec->flags & FSCONTEXT_MNT) {
490 rc = security_sid_to_context(sbsec->sid, &context, &len);
491 if (rc)
492 goto out_free;
e0007529
EP		 493 opts->mnt_opts[i] = context;
494 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
c9180a57
EP		 495 }
496 if (sbsec->flags & CONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
498 if (rc)
499 goto out_free;
e0007529
EP		 500 opts->mnt_opts[i] = context;
501 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
c9180a57
EP		 502 }
503 if (sbsec->flags & DEFCONTEXT_MNT) {
504 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
505 if (rc)
506 goto out_free;
e0007529
EP		 507 opts->mnt_opts[i] = context;
508 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
c9180a57
EP		 509 }
510 if (sbsec->flags & ROOTCONTEXT_MNT) {
511 struct inode *root = sbsec->sb->s_root->d_inode;
512 struct inode_security_struct *isec = root->i_security;
0808925e 513
c9180a57
EP		 514 rc = security_sid_to_context(isec->sid, &context, &len);
515 if (rc)
516 goto out_free;
e0007529
EP		 517 opts->mnt_opts[i] = context;
518 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
c9180a57 519 }
1da177e4 520
e0007529 521 BUG_ON(i != opts->num_mnt_opts);
1da177e4 522
c9180a57
EP		 523 return 0;
524
525out_free:
e0007529 526 security_free_mnt_opts(opts);
c9180a57
EP		 527 return rc;
528}
1da177e4 529
c9180a57
EP		 530static int bad_option(struct superblock_security_struct *sbsec, char flag,
531 u32 old_sid, u32 new_sid)
532{
533 /* check if the old mount command had the same options */
534 if (sbsec->initialized)
535 if (!(sbsec->flags & flag) ||
536 (old_sid != new_sid))
537 return 1;
538
539 /* check if we were passed the same options twice,
540 * aka someone passed context=a,context=b
541 */
542 if (!sbsec->initialized)
543 if (sbsec->flags & flag)
544 return 1;
545 return 0;
546}
e0007529 547
c9180a57
EP		 548/*
549 * Allow filesystems with binary mount data to explicitly set mount point
550 * labeling information.
551 */
e0007529
EP		 552static int selinux_set_mnt_opts(struct super_block *sb,
553 struct security_mnt_opts *opts)
c9180a57
EP		 554{
555 int rc = 0, i;
556 struct task_security_struct *tsec = current->security;
557 struct superblock_security_struct *sbsec = sb->s_security;
558 const char *name = sb->s_type->name;
811f3799
EP		 559 struct dentry *root = sb->s_root;
560 struct inode *root_inode = root->d_inode;
561 struct inode_security_struct *root_isec = root_inode->i_security;
c9180a57
EP		 562 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563 u32 defcontext_sid = 0;
e0007529
EP		 564 char **mount_options = opts->mnt_opts;
565 int *flags = opts->mnt_opts_flags;
566 int num_opts = opts->num_mnt_opts;
811f3799 567 bool can_xattr = false;
c9180a57
EP		 568
569 mutex_lock(&sbsec->lock);
570
571 if (!ss_initialized) {
572 if (!num_opts) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
576 spin_lock(&sb_security_lock);
577 if (list_empty(&sbsec->list))
578 list_add(&sbsec->list, &superblock_security_head);
579 spin_unlock(&sb_security_lock);
580 goto out;
581 }
582 rc = -EINVAL;
744ba35e
EP		 583 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584 "before the security server is initialized\n");
1da177e4 585 goto out;
c9180a57 586 }
1da177e4 587
e0007529
EP		 588 /*
589 * Binary mount data FS will come through this function twice. Once
590 * from an explicit call and once from the generic calls from the vfs.
591 * Since the generic VFS calls will not contain any security mount data
592 * we need to skip the double mount verification.
593 *
594 * This does open a hole in which we will not notice if the first
595 * mount using this sb set explict options and a second mount using
596 * this sb does not set any security options. (The first options
597 * will be used for both mounts)
598 */
599 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600 && (num_opts == 0))
f5269710 601 goto out;
e0007529 602
c9180a57
EP		 603 /*
604 * parse the mount options, check if they are valid sids.
605 * also check if someone is trying to mount the same sb more
606 * than once with different security options.
607 */
608 for (i = 0; i < num_opts; i++) {
609 u32 sid;
610 rc = security_context_to_sid(mount_options[i],
611 strlen(mount_options[i]), &sid);
1da177e4
LT		 612 if (rc) {
613 printk(KERN_WARNING "SELinux: security_context_to_sid"
614 "(%s) failed for (dev %s, type %s) errno=%d\n",
c9180a57
EP		 615 mount_options[i], sb->s_id, name, rc);
616 goto out;
617 }
618 switch (flags[i]) {
619 case FSCONTEXT_MNT:
620 fscontext_sid = sid;
621
622 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623 fscontext_sid))
624 goto out_double_mount;
625
626 sbsec->flags |= FSCONTEXT_MNT;
627 break;
628 case CONTEXT_MNT:
629 context_sid = sid;
630
631 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632 context_sid))
633 goto out_double_mount;
634
635 sbsec->flags |= CONTEXT_MNT;
636 break;
637 case ROOTCONTEXT_MNT:
638 rootcontext_sid = sid;
639
640 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641 rootcontext_sid))
642 goto out_double_mount;
643
644 sbsec->flags |= ROOTCONTEXT_MNT;
645
646 break;
647 case DEFCONTEXT_MNT:
648 defcontext_sid = sid;
649
650 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651 defcontext_sid))
652 goto out_double_mount;
653
654 sbsec->flags |= DEFCONTEXT_MNT;
655
656 break;
657 default:
658 rc = -EINVAL;
659 goto out;
1da177e4 660 }
c9180a57
EP		 661 }
662
663 if (sbsec->initialized) {
664 /* previously mounted with options, but not on this attempt? */
665 if (sbsec->flags && !num_opts)
666 goto out_double_mount;
667 rc = 0;
668 goto out;
669 }
670
811f3799 671 if (strcmp(name, "proc") == 0)
c9180a57
EP		 672 sbsec->proc = 1;
673
811f3799
EP		 674 /*
675 * test if the fs supports xattrs, fs_use might make use of this if the
676 * fs has no definition in policy.
677 */
678 if (root_inode->i_op->getxattr) {
679 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
680 if (rc >= 0 || rc == -ENODATA)
681 can_xattr = true;
682 }
683
c9180a57 684 /* Determine the labeling behavior to use for this filesystem type. */
811f3799 685 rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
c9180a57
EP		 686 if (rc) {
687 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
811f3799 688 __func__, name, rc);
c9180a57
EP		 689 goto out;
690 }
1da177e4 691
c9180a57
EP		 692 /* sets the context of the superblock for the fs being mounted. */
693 if (fscontext_sid) {
694
695 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
1da177e4 696 if (rc)
c9180a57 697 goto out;
1da177e4 698
c9180a57 699 sbsec->sid = fscontext_sid;
c312feb2
EP		 700 }
701
702 /*
703 * Switch to using mount point labeling behavior.
704 * sets the label used on all file below the mountpoint, and will set
705 * the superblock context if not already set.
706 */
c9180a57
EP		 707 if (context_sid) {
708 if (!fscontext_sid) {
709 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
b04ea3ce 710 if (rc)
c9180a57
EP		 711 goto out;
712 sbsec->sid = context_sid;
b04ea3ce 713 } else {
c9180a57 714 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
b04ea3ce 715 if (rc)
c9180a57 716 goto out;
b04ea3ce 717 }
c9180a57
EP		 718 if (!rootcontext_sid)
719 rootcontext_sid = context_sid;
1da177e4 720
c9180a57 721 sbsec->mntpoint_sid = context_sid;
c312feb2 722 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
1da177e4
LT		 723 }
724
c9180a57
EP		 725 if (rootcontext_sid) {
726 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
0808925e 727 if (rc)
c9180a57 728 goto out;
0808925e 729
c9180a57
EP		 730 root_isec->sid = rootcontext_sid;
731 root_isec->initialized = 1;
0808925e
EP		 732 }
733
c9180a57
EP		 734 if (defcontext_sid) {
735 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
736 rc = -EINVAL;
737 printk(KERN_WARNING "SELinux: defcontext option is "
738 "invalid for this filesystem type\n");
739 goto out;
1da177e4
LT		 740 }
741
c9180a57
EP		 742 if (defcontext_sid != sbsec->def_sid) {
743 rc = may_context_mount_inode_relabel(defcontext_sid,
744 sbsec, tsec);
745 if (rc)
746 goto out;
747 }
1da177e4 748
c9180a57 749 sbsec->def_sid = defcontext_sid;
1da177e4
LT		 750 }
751
c9180a57 752 rc = sb_finish_set_opts(sb);
1da177e4 753out:
c9180a57 754 mutex_unlock(&sbsec->lock);
1da177e4 755 return rc;
c9180a57
EP		 756out_double_mount:
757 rc = -EINVAL;
758 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
759 "security settings for (dev %s, type %s)\n", sb->s_id, name);
760 goto out;
1da177e4
LT		 761}
762
c9180a57
EP		 763static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
764 struct super_block *newsb)
1da177e4 765{
c9180a57
EP		 766 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
767 struct superblock_security_struct *newsbsec = newsb->s_security;
1da177e4 768
c9180a57
EP		 769 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
770 int set_context = (oldsbsec->flags & CONTEXT_MNT);
771 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1da177e4 772
0f5e6420
EP		 773 /*
774 * if the parent was able to be mounted it clearly had no special lsm
775 * mount options. thus we can safely put this sb on the list and deal
776 * with it later
777 */
778 if (!ss_initialized) {
779 spin_lock(&sb_security_lock);
780 if (list_empty(&newsbsec->list))
781 list_add(&newsbsec->list, &superblock_security_head);
782 spin_unlock(&sb_security_lock);
783 return;
784 }
c9180a57 785
c9180a57
EP		 786 /* how can we clone if the old one wasn't set up?? */
787 BUG_ON(!oldsbsec->initialized);
788
5a552617
EP		 789 /* if fs is reusing a sb, just let its options stand... */
790 if (newsbsec->initialized)
791 return;
792
c9180a57
EP		 793 mutex_lock(&newsbsec->lock);
794
795 newsbsec->flags = oldsbsec->flags;
796
797 newsbsec->sid = oldsbsec->sid;
798 newsbsec->def_sid = oldsbsec->def_sid;
799 newsbsec->behavior = oldsbsec->behavior;
800
801 if (set_context) {
802 u32 sid = oldsbsec->mntpoint_sid;
803
804 if (!set_fscontext)
805 newsbsec->sid = sid;
806 if (!set_rootcontext) {
807 struct inode *newinode = newsb->s_root->d_inode;
808 struct inode_security_struct *newisec = newinode->i_security;
809 newisec->sid = sid;
810 }
811 newsbsec->mntpoint_sid = sid;
1da177e4 812 }
c9180a57
EP		 813 if (set_rootcontext) {
814 const struct inode *oldinode = oldsb->s_root->d_inode;
815 const struct inode_security_struct *oldisec = oldinode->i_security;
816 struct inode *newinode = newsb->s_root->d_inode;
817 struct inode_security_struct *newisec = newinode->i_security;
1da177e4 818
c9180a57 819 newisec->sid = oldisec->sid;
1da177e4
LT		 820 }
821
c9180a57
EP		 822 sb_finish_set_opts(newsb);
823 mutex_unlock(&newsbsec->lock);
824}
825
2e1479d9
AB		 826static int selinux_parse_opts_str(char *options,
827 struct security_mnt_opts *opts)
c9180a57 828{
e0007529 829 char *p;
c9180a57
EP		 830 char *context = NULL, *defcontext = NULL;
831 char *fscontext = NULL, *rootcontext = NULL;
e0007529 832 int rc, num_mnt_opts = 0;
1da177e4 833
e0007529 834 opts->num_mnt_opts = 0;
1da177e4 835
c9180a57
EP		 836 /* Standard string-based options. */
837 while ((p = strsep(&options, "|")) != NULL) {
838 int token;
839 substring_t args[MAX_OPT_ARGS];
1da177e4 840
c9180a57
EP		 841 if (!*p)
842 continue;
1da177e4 843
c9180a57 844 token = match_token(p, tokens, args);
1da177e4 845
c9180a57
EP		 846 switch (token) {
847 case Opt_context:
848 if (context || defcontext) {
849 rc = -EINVAL;
850 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851 goto out_err;
852 }
853 context = match_strdup(&args[0]);
854 if (!context) {
855 rc = -ENOMEM;
856 goto out_err;
857 }
858 break;
859
860 case Opt_fscontext:
861 if (fscontext) {
862 rc = -EINVAL;
863 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864 goto out_err;
865 }
866 fscontext = match_strdup(&args[0]);
867 if (!fscontext) {
868 rc = -ENOMEM;
869 goto out_err;
870 }
871 break;
872
873 case Opt_rootcontext:
874 if (rootcontext) {
875 rc = -EINVAL;
876 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877 goto out_err;
878 }
879 rootcontext = match_strdup(&args[0]);
880 if (!rootcontext) {
881 rc = -ENOMEM;
882 goto out_err;
883 }
884 break;
885
886 case Opt_defcontext:
887 if (context || defcontext) {
888 rc = -EINVAL;
889 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
890 goto out_err;
891 }
892 defcontext = match_strdup(&args[0]);
893 if (!defcontext) {
894 rc = -ENOMEM;
895 goto out_err;
896 }
897 break;
898
899 default:
900 rc = -EINVAL;
901 printk(KERN_WARNING "SELinux: unknown mount option\n");
902 goto out_err;
1da177e4 903
1da177e4 904 }
1da177e4 905 }
c9180a57 906
e0007529
EP		 907 rc = -ENOMEM;
908 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
909 if (!opts->mnt_opts)
910 goto out_err;
911
912 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
913 if (!opts->mnt_opts_flags) {
914 kfree(opts->mnt_opts);
915 goto out_err;
916 }
917
c9180a57 918 if (fscontext) {
e0007529
EP		 919 opts->mnt_opts[num_mnt_opts] = fscontext;
920 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
c9180a57
EP		 921 }
922 if (context) {
e0007529
EP		 923 opts->mnt_opts[num_mnt_opts] = context;
924 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
c9180a57
EP		 925 }
926 if (rootcontext) {
e0007529
EP		 927 opts->mnt_opts[num_mnt_opts] = rootcontext;
928 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
c9180a57
EP		 929 }
930 if (defcontext) {
e0007529
EP		 931 opts->mnt_opts[num_mnt_opts] = defcontext;
932 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
c9180a57
EP		 933 }
934
e0007529
EP		 935 opts->num_mnt_opts = num_mnt_opts;
936 return 0;
937
c9180a57
EP		 938out_err:
939 kfree(context);
940 kfree(defcontext);
941 kfree(fscontext);
942 kfree(rootcontext);
1da177e4
LT		 943 return rc;
944}
e0007529
EP		 945/*
946 * string mount options parsing and call set the sbsec
947 */
948static int superblock_doinit(struct super_block *sb, void *data)
949{
950 int rc = 0;
951 char *options = data;
952 struct security_mnt_opts opts;
953
954 security_init_mnt_opts(&opts);
955
956 if (!data)
957 goto out;
958
959 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
960
961 rc = selinux_parse_opts_str(options, &opts);
962 if (rc)
963 goto out_err;
964
965out:
966 rc = selinux_set_mnt_opts(sb, &opts);
967
968out_err:
969 security_free_mnt_opts(&opts);
970 return rc;
971}
1da177e4
LT		 972
973static inline u16 inode_mode_to_security_class(umode_t mode)
974{
975 switch (mode & S_IFMT) {
976 case S_IFSOCK:
977 return SECCLASS_SOCK_FILE;
978 case S_IFLNK:
979 return SECCLASS_LNK_FILE;
980 case S_IFREG:
981 return SECCLASS_FILE;
982 case S_IFBLK:
983 return SECCLASS_BLK_FILE;
984 case S_IFDIR:
985 return SECCLASS_DIR;
986 case S_IFCHR:
987 return SECCLASS_CHR_FILE;
988 case S_IFIFO:
989 return SECCLASS_FIFO_FILE;
990
991 }
992
993 return SECCLASS_FILE;
994}
995
13402580
JM		 996static inline int default_protocol_stream(int protocol)
997{
998 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
999}
1000
1001static inline int default_protocol_dgram(int protocol)
1002{
1003 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1004}
1005
1da177e4
LT		 1006static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1007{
1008 switch (family) {
1009 case PF_UNIX:
1010 switch (type) {
1011 case SOCK_STREAM:
1012 case SOCK_SEQPACKET:
1013 return SECCLASS_UNIX_STREAM_SOCKET;
1014 case SOCK_DGRAM:
1015 return SECCLASS_UNIX_DGRAM_SOCKET;
1016 }
1017 break;
1018 case PF_INET:
1019 case PF_INET6:
1020 switch (type) {
1021 case SOCK_STREAM:
13402580
JM		 1022 if (default_protocol_stream(protocol))
1023 return SECCLASS_TCP_SOCKET;
1024 else
1025 return SECCLASS_RAWIP_SOCKET;
1da177e4 1026 case SOCK_DGRAM:
13402580
JM		 1027 if (default_protocol_dgram(protocol))
1028 return SECCLASS_UDP_SOCKET;
1029 else
1030 return SECCLASS_RAWIP_SOCKET;
2ee92d46
JM		 1031 case SOCK_DCCP:
1032 return SECCLASS_DCCP_SOCKET;
13402580 1033 default:
1da177e4
LT		 1034 return SECCLASS_RAWIP_SOCKET;
1035 }
1036 break;
1037 case PF_NETLINK:
1038 switch (protocol) {
1039 case NETLINK_ROUTE:
1040 return SECCLASS_NETLINK_ROUTE_SOCKET;
1041 case NETLINK_FIREWALL:
1042 return SECCLASS_NETLINK_FIREWALL_SOCKET;
216efaaa 1043 case NETLINK_INET_DIAG:
1da177e4
LT		 1044 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1045 case NETLINK_NFLOG:
1046 return SECCLASS_NETLINK_NFLOG_SOCKET;
1047 case NETLINK_XFRM:
1048 return SECCLASS_NETLINK_XFRM_SOCKET;
1049 case NETLINK_SELINUX:
1050 return SECCLASS_NETLINK_SELINUX_SOCKET;
1051 case NETLINK_AUDIT:
1052 return SECCLASS_NETLINK_AUDIT_SOCKET;
1053 case NETLINK_IP6_FW:
1054 return SECCLASS_NETLINK_IP6FW_SOCKET;
1055 case NETLINK_DNRTMSG:
1056 return SECCLASS_NETLINK_DNRT_SOCKET;
0c9b7942
JM		 1057 case NETLINK_KOBJECT_UEVENT:
1058 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1da177e4
LT		 1059 default:
1060 return SECCLASS_NETLINK_SOCKET;
1061 }
1062 case PF_PACKET:
1063 return SECCLASS_PACKET_SOCKET;
1064 case PF_KEY:
1065 return SECCLASS_KEY_SOCKET;
3e3ff15e
CP		 1066 case PF_APPLETALK:
1067 return SECCLASS_APPLETALK_SOCKET;
1da177e4
LT		 1068 }
1069
1070 return SECCLASS_SOCKET;
1071}
1072
1073#ifdef CONFIG_PROC_FS
1074static int selinux_proc_get_sid(struct proc_dir_entry *de,
1075 u16 tclass,
1076 u32 *sid)
1077{
1078 int buflen, rc;
1079 char *buffer, *path, *end;
1080
828dfe1d 1081 buffer = (char *)__get_free_page(GFP_KERNEL);
1da177e4
LT		 1082 if (!buffer)
1083 return -ENOMEM;
1084
1085 buflen = PAGE_SIZE;
1086 end = buffer+buflen;
1087 *--end = '\0';
1088 buflen--;
1089 path = end-1;
1090 *path = '/';
1091 while (de && de != de->parent) {
1092 buflen -= de->namelen + 1;
1093 if (buflen < 0)
1094 break;
1095 end -= de->namelen;
1096 memcpy(end, de->name, de->namelen);
1097 *--end = '/';
1098 path = end;
1099 de = de->parent;
1100 }
1101 rc = security_genfs_sid("proc", path, tclass, sid);
1102 free_page((unsigned long)buffer);
1103 return rc;
1104}
1105#else
1106static int selinux_proc_get_sid(struct proc_dir_entry *de,
1107 u16 tclass,
1108 u32 *sid)
1109{
1110 return -EINVAL;
1111}
1112#endif
1113
1114/* The inode's security attributes must be initialized before first use. */
1115static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1116{
1117 struct superblock_security_struct *sbsec = NULL;
1118 struct inode_security_struct *isec = inode->i_security;
1119 u32 sid;
1120 struct dentry *dentry;
1121#define INITCONTEXTLEN 255
1122 char *context = NULL;
1123 unsigned len = 0;
1124 int rc = 0;
1da177e4
LT		 1125
1126 if (isec->initialized)
1127 goto out;
1128
23970741 1129 mutex_lock(&isec->lock);
1da177e4 1130 if (isec->initialized)
23970741 1131 goto out_unlock;
1da177e4
LT		 1132
1133 sbsec = inode->i_sb->s_security;
1134 if (!sbsec->initialized) {
1135 /* Defer initialization until selinux_complete_init,
1136 after the initial policy is loaded and the security
1137 server is ready to handle calls. */
1138 spin_lock(&sbsec->isec_lock);
1139 if (list_empty(&isec->list))
1140 list_add(&isec->list, &sbsec->isec_head);
1141 spin_unlock(&sbsec->isec_lock);
23970741 1142 goto out_unlock;
1da177e4
LT		 1143 }
1144
1145 switch (sbsec->behavior) {
1146 case SECURITY_FS_USE_XATTR:
1147 if (!inode->i_op->getxattr) {
1148 isec->sid = sbsec->def_sid;
1149 break;
1150 }
1151
1152 /* Need a dentry, since the xattr API requires one.
1153 Life would be simpler if we could just pass the inode. */
1154 if (opt_dentry) {
1155 /* Called from d_instantiate or d_splice_alias. */
1156 dentry = dget(opt_dentry);
1157 } else {
1158 /* Called from selinux_complete_init, try to find a dentry. */
1159 dentry = d_find_alias(inode);
1160 }
1161 if (!dentry) {
744ba35e 1162 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
dd6f953a 1163 "ino=%ld\n", __func__, inode->i_sb->s_id,
1da177e4 1164 inode->i_ino);
23970741 1165 goto out_unlock;
1da177e4
LT		 1166 }
1167
1168 len = INITCONTEXTLEN;
869ab514 1169 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1170 if (!context) {
1171 rc = -ENOMEM;
1172 dput(dentry);
23970741 1173 goto out_unlock;
1da177e4
LT		 1174 }
1175 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1176 context, len);
1177 if (rc == -ERANGE) {
1178 /* Need a larger buffer. Query for the right size. */
1179 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1180 NULL, 0);
1181 if (rc < 0) {
1182 dput(dentry);
23970741 1183 goto out_unlock;
1da177e4
LT		 1184 }
1185 kfree(context);
1186 len = rc;
869ab514 1187 context = kmalloc(len, GFP_NOFS);
1da177e4
LT		 1188 if (!context) {
1189 rc = -ENOMEM;
1190 dput(dentry);
23970741 1191 goto out_unlock;
1da177e4
LT		 1192 }
1193 rc = inode->i_op->getxattr(dentry,
1194 XATTR_NAME_SELINUX,
1195 context, len);
1196 }
1197 dput(dentry);
1198 if (rc < 0) {
1199 if (rc != -ENODATA) {
744ba35e 1200 printk(KERN_WARNING "SELinux: %s: getxattr returned "
dd6f953a 1201 "%d for dev=%s ino=%ld\n", __func__,
1da177e4
LT		 1202 -rc, inode->i_sb->s_id, inode->i_ino);
1203 kfree(context);
23970741 1204 goto out_unlock;
1da177e4
LT		 1205 }
1206 /* Map ENODATA to the default file SID */
1207 sid = sbsec->def_sid;
1208 rc = 0;
1209 } else {
f5c1d5b2 1210 rc = security_context_to_sid_default(context, rc, &sid,
869ab514
SS		 1211 sbsec->def_sid,
1212 GFP_NOFS);
1da177e4 1213 if (rc) {
744ba35e 1214 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1da177e4 1215 "returned %d for dev=%s ino=%ld\n",
dd6f953a 1216 __func__, context, -rc,
1da177e4
LT		 1217 inode->i_sb->s_id, inode->i_ino);
1218 kfree(context);
1219 /* Leave with the unlabeled SID */
1220 rc = 0;
1221 break;
1222 }
1223 }
1224 kfree(context);
1225 isec->sid = sid;
1226 break;
1227 case SECURITY_FS_USE_TASK:
1228 isec->sid = isec->task_sid;
1229 break;
1230 case SECURITY_FS_USE_TRANS:
1231 /* Default to the fs SID. */
1232 isec->sid = sbsec->sid;
1233
1234 /* Try to obtain a transition SID. */
1235 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1236 rc = security_transition_sid(isec->task_sid,
1237 sbsec->sid,
1238 isec->sclass,
1239 &sid);
1240 if (rc)
23970741 1241 goto out_unlock;
1da177e4
LT		 1242 isec->sid = sid;
1243 break;
c312feb2
EP		 1244 case SECURITY_FS_USE_MNTPOINT:
1245 isec->sid = sbsec->mntpoint_sid;
1246 break;
1da177e4 1247 default:
c312feb2 1248 /* Default to the fs superblock SID. */
1da177e4
LT		 1249 isec->sid = sbsec->sid;
1250
1251 if (sbsec->proc) {
1252 struct proc_inode *proci = PROC_I(inode);
1253 if (proci->pde) {
1254 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1255 rc = selinux_proc_get_sid(proci->pde,
1256 isec->sclass,
1257 &sid);
1258 if (rc)
23970741 1259 goto out_unlock;
1da177e4
LT		 1260 isec->sid = sid;
1261 }
1262 }
1263 break;
1264 }
1265
1266 isec->initialized = 1;
1267
23970741
EP		 1268out_unlock:
1269 mutex_unlock(&isec->lock);
1da177e4
LT		 1270out:
1271 if (isec->sclass == SECCLASS_FILE)
1272 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1da177e4
LT		 1273 return rc;
1274}
1275
1276/* Convert a Linux signal to an access vector. */
1277static inline u32 signal_to_av(int sig)
1278{
1279 u32 perm = 0;
1280
1281 switch (sig) {
1282 case SIGCHLD:
1283 /* Commonly granted from child to parent. */
1284 perm = PROCESS__SIGCHLD;
1285 break;
1286 case SIGKILL:
1287 /* Cannot be caught or ignored */
1288 perm = PROCESS__SIGKILL;
1289 break;
1290 case SIGSTOP:
1291 /* Cannot be caught or ignored */
1292 perm = PROCESS__SIGSTOP;
1293 break;
1294 default:
1295 /* All other signals. */
1296 perm = PROCESS__SIGNAL;
1297 break;
1298 }
1299
1300 return perm;
1301}
1302
1303/* Check permission betweeen a pair of tasks, e.g. signal checks,
1304 fork check, ptrace check, etc. */
1305static int task_has_perm(struct task_struct *tsk1,
1306 struct task_struct *tsk2,
1307 u32 perms)
1308{
1309 struct task_security_struct *tsec1, *tsec2;
1310
1311 tsec1 = tsk1->security;
1312 tsec2 = tsk2->security;
1313 return avc_has_perm(tsec1->sid, tsec2->sid,
1314 SECCLASS_PROCESS, perms, NULL);
1315}
1316
b68e418c
SS		 1317#if CAP_LAST_CAP > 63
1318#error Fix SELinux to handle capabilities > 63.
1319#endif
1320
1da177e4
LT		 1321/* Check whether a task is allowed to use a capability. */
1322static int task_has_capability(struct task_struct *tsk,
1323 int cap)
1324{
1325 struct task_security_struct *tsec;
1326 struct avc_audit_data ad;
b68e418c
SS		 1327 u16 sclass;
1328 u32 av = CAP_TO_MASK(cap);
1da177e4
LT		 1329
1330 tsec = tsk->security;
1331
828dfe1d 1332 AVC_AUDIT_DATA_INIT(&ad, CAP);
1da177e4
LT		 1333 ad.tsk = tsk;
1334 ad.u.cap = cap;
1335
b68e418c
SS		 1336 switch (CAP_TO_INDEX(cap)) {
1337 case 0:
1338 sclass = SECCLASS_CAPABILITY;
1339 break;
1340 case 1:
1341 sclass = SECCLASS_CAPABILITY2;
1342 break;
1343 default:
1344 printk(KERN_ERR
1345 "SELinux: out of range capability %d\n", cap);
1346 BUG();
1347 }
1348 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1da177e4
LT		 1349}
1350
1351/* Check whether a task is allowed to use a system operation. */
1352static int task_has_system(struct task_struct *tsk,
1353 u32 perms)
1354{
1355 struct task_security_struct *tsec;
1356
1357 tsec = tsk->security;
1358
1359 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1360 SECCLASS_SYSTEM, perms, NULL);
1361}
1362
1363/* Check whether a task has a particular permission to an inode.
1364 The 'adp' parameter is optional and allows other audit
1365 data to be passed (e.g. the dentry). */
1366static int inode_has_perm(struct task_struct *tsk,
1367 struct inode *inode,
1368 u32 perms,
1369 struct avc_audit_data *adp)
1370{
1371 struct task_security_struct *tsec;
1372 struct inode_security_struct *isec;
1373 struct avc_audit_data ad;
1374
828dfe1d 1375 if (unlikely(IS_PRIVATE(inode)))
bbaca6c2
SS		 1376 return 0;
1377
1da177e4
LT		 1378 tsec = tsk->security;
1379 isec = inode->i_security;
1380
1381 if (!adp) {
1382 adp = &ad;
1383 AVC_AUDIT_DATA_INIT(&ad, FS);
1384 ad.u.fs.inode = inode;
1385 }
1386
1387 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1388}
1389
1390/* Same as inode_has_perm, but pass explicit audit data containing
1391 the dentry to help the auditing code to more easily generate the
1392 pathname if needed. */
1393static inline int dentry_has_perm(struct task_struct *tsk,
1394 struct vfsmount *mnt,
1395 struct dentry *dentry,
1396 u32 av)
1397{
1398 struct inode *inode = dentry->d_inode;
1399 struct avc_audit_data ad;
828dfe1d 1400 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf
JB		 1401 ad.u.fs.path.mnt = mnt;
1402 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1403 return inode_has_perm(tsk, inode, av, &ad);
1404}
1405
1406/* Check whether a task can use an open file descriptor to
1407 access an inode in a given way. Check access to the
1408 descriptor itself, and then use dentry_has_perm to
1409 check a particular permission to the file.
1410 Access to the descriptor is implicitly granted if it
1411 has the same SID as the process. If av is zero, then
1412 access to the file is not checked, e.g. for cases
1413 where only the descriptor is affected like seek. */
858119e1 1414static int file_has_perm(struct task_struct *tsk,
1da177e4
LT		 1415 struct file *file,
1416 u32 av)
1417{
1418 struct task_security_struct *tsec = tsk->security;
1419 struct file_security_struct *fsec = file->f_security;
44707fdf 1420 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 1421 struct avc_audit_data ad;
1422 int rc;
1423
1424 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1425 ad.u.fs.path = file->f_path;
1da177e4
LT		 1426
1427 if (tsec->sid != fsec->sid) {
1428 rc = avc_has_perm(tsec->sid, fsec->sid,
1429 SECCLASS_FD,
1430 FD__USE,
1431 &ad);
1432 if (rc)
1433 return rc;
1434 }
1435
1436 /* av is zero if only checking access to the descriptor. */
1437 if (av)
1438 return inode_has_perm(tsk, inode, av, &ad);
1439
1440 return 0;
1441}
1442
1443/* Check whether a task can create a file. */
1444static int may_create(struct inode *dir,
1445 struct dentry *dentry,
1446 u16 tclass)
1447{
1448 struct task_security_struct *tsec;
1449 struct inode_security_struct *dsec;
1450 struct superblock_security_struct *sbsec;
1451 u32 newsid;
1452 struct avc_audit_data ad;
1453 int rc;
1454
1455 tsec = current->security;
1456 dsec = dir->i_security;
1457 sbsec = dir->i_sb->s_security;
1458
1459 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1460 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1461
1462 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1463 DIR__ADD_NAME | DIR__SEARCH,
1464 &ad);
1465 if (rc)
1466 return rc;
1467
1468 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1469 newsid = tsec->create_sid;
1470 } else {
1471 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1472 &newsid);
1473 if (rc)
1474 return rc;
1475 }
1476
1477 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1478 if (rc)
1479 return rc;
1480
1481 return avc_has_perm(newsid, sbsec->sid,
1482 SECCLASS_FILESYSTEM,
1483 FILESYSTEM__ASSOCIATE, &ad);
1484}
1485
4eb582cf
ML		 1486/* Check whether a task can create a key. */
1487static int may_create_key(u32 ksid,
1488 struct task_struct *ctx)
1489{
1490 struct task_security_struct *tsec;
1491
1492 tsec = ctx->security;
1493
1494 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1495}
1496
828dfe1d
EP		 1497#define MAY_LINK 0
1498#define MAY_UNLINK 1
1499#define MAY_RMDIR 2
1da177e4
LT		 1500
1501/* Check whether a task can link, unlink, or rmdir a file/directory. */
1502static int may_link(struct inode *dir,
1503 struct dentry *dentry,
1504 int kind)
1505
1506{
1507 struct task_security_struct *tsec;
1508 struct inode_security_struct *dsec, *isec;
1509 struct avc_audit_data ad;
1510 u32 av;
1511 int rc;
1512
1513 tsec = current->security;
1514 dsec = dir->i_security;
1515 isec = dentry->d_inode->i_security;
1516
1517 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 1518 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 1519
1520 av = DIR__SEARCH;
1521 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1522 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1523 if (rc)
1524 return rc;
1525
1526 switch (kind) {
1527 case MAY_LINK:
1528 av = FILE__LINK;
1529 break;
1530 case MAY_UNLINK:
1531 av = FILE__UNLINK;
1532 break;
1533 case MAY_RMDIR:
1534 av = DIR__RMDIR;
1535 break;
1536 default:
744ba35e
EP		 1537 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1538 __func__, kind);
1da177e4
LT		 1539 return 0;
1540 }
1541
1542 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1543 return rc;
1544}
1545
1546static inline int may_rename(struct inode *old_dir,
1547 struct dentry *old_dentry,
1548 struct inode *new_dir,
1549 struct dentry *new_dentry)
1550{
1551 struct task_security_struct *tsec;
1552 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1553 struct avc_audit_data ad;
1554 u32 av;
1555 int old_is_dir, new_is_dir;
1556 int rc;
1557
1558 tsec = current->security;
1559 old_dsec = old_dir->i_security;
1560 old_isec = old_dentry->d_inode->i_security;
1561 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1562 new_dsec = new_dir->i_security;
1563
1564 AVC_AUDIT_DATA_INIT(&ad, FS);
1565
44707fdf 1566 ad.u.fs.path.dentry = old_dentry;
1da177e4
LT		 1567 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1568 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1569 if (rc)
1570 return rc;
1571 rc = avc_has_perm(tsec->sid, old_isec->sid,
1572 old_isec->sclass, FILE__RENAME, &ad);
1573 if (rc)
1574 return rc;
1575 if (old_is_dir && new_dir != old_dir) {
1576 rc = avc_has_perm(tsec->sid, old_isec->sid,
1577 old_isec->sclass, DIR__REPARENT, &ad);
1578 if (rc)
1579 return rc;
1580 }
1581
44707fdf 1582 ad.u.fs.path.dentry = new_dentry;
1da177e4
LT		 1583 av = DIR__ADD_NAME | DIR__SEARCH;
1584 if (new_dentry->d_inode)
1585 av |= DIR__REMOVE_NAME;
1586 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1587 if (rc)
1588 return rc;
1589 if (new_dentry->d_inode) {
1590 new_isec = new_dentry->d_inode->i_security;
1591 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1592 rc = avc_has_perm(tsec->sid, new_isec->sid,
1593 new_isec->sclass,
1594 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1595 if (rc)
1596 return rc;
1597 }
1598
1599 return 0;
1600}
1601
1602/* Check whether a task can perform a filesystem operation. */
1603static int superblock_has_perm(struct task_struct *tsk,
1604 struct super_block *sb,
1605 u32 perms,
1606 struct avc_audit_data *ad)
1607{
1608 struct task_security_struct *tsec;
1609 struct superblock_security_struct *sbsec;
1610
1611 tsec = tsk->security;
1612 sbsec = sb->s_security;
1613 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1614 perms, ad);
1615}
1616
1617/* Convert a Linux mode and permission mask to an access vector. */
1618static inline u32 file_mask_to_av(int mode, int mask)
1619{
1620 u32 av = 0;
1621
1622 if ((mode & S_IFMT) != S_IFDIR) {
1623 if (mask & MAY_EXEC)
1624 av |= FILE__EXECUTE;
1625 if (mask & MAY_READ)
1626 av |= FILE__READ;
1627
1628 if (mask & MAY_APPEND)
1629 av |= FILE__APPEND;
1630 else if (mask & MAY_WRITE)
1631 av |= FILE__WRITE;
1632
1633 } else {
1634 if (mask & MAY_EXEC)
1635 av |= DIR__SEARCH;
1636 if (mask & MAY_WRITE)
1637 av |= DIR__WRITE;
1638 if (mask & MAY_READ)
1639 av |= DIR__READ;
1640 }
1641
1642 return av;
1643}
1644
b0c636b9
EP		 1645/*
1646 * Convert a file mask to an access vector and include the correct open
1647 * open permission.
1648 */
1649static inline u32 open_file_mask_to_av(int mode, int mask)
1650{
1651 u32 av = file_mask_to_av(mode, mask);
1652
1653 if (selinux_policycap_openperm) {
1654 /*
1655 * lnk files and socks do not really have an 'open'
1656 */
1657 if (S_ISREG(mode))
1658 av |= FILE__OPEN;
1659 else if (S_ISCHR(mode))
1660 av |= CHR_FILE__OPEN;
1661 else if (S_ISBLK(mode))
1662 av |= BLK_FILE__OPEN;
1663 else if (S_ISFIFO(mode))
1664 av |= FIFO_FILE__OPEN;
1665 else if (S_ISDIR(mode))
1666 av |= DIR__OPEN;
1667 else
744ba35e
EP		 1668 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1669 "unknown mode:%x\n", __func__, mode);
b0c636b9
EP		 1670 }
1671 return av;
1672}
1673
1da177e4
LT		 1674/* Convert a Linux file to an access vector. */
1675static inline u32 file_to_av(struct file *file)
1676{
1677 u32 av = 0;
1678
1679 if (file->f_mode & FMODE_READ)
1680 av |= FILE__READ;
1681 if (file->f_mode & FMODE_WRITE) {
1682 if (file->f_flags & O_APPEND)
1683 av |= FILE__APPEND;
1684 else
1685 av |= FILE__WRITE;
1686 }
0794c66d
SS		 1687 if (!av) {
1688 /*
1689 * Special file opened with flags 3 for ioctl-only use.
1690 */
1691 av = FILE__IOCTL;
1692 }
1da177e4
LT		 1693
1694 return av;
1695}
1696
1da177e4
LT		 1697/* Hook functions begin here. */
1698
006ebb40
SS		 1699static int selinux_ptrace(struct task_struct *parent,
1700 struct task_struct *child,
1701 unsigned int mode)
1da177e4 1702{
1da177e4
LT		 1703 int rc;
1704
006ebb40 1705 rc = secondary_ops->ptrace(parent, child, mode);
1da177e4
LT		 1706 if (rc)
1707 return rc;
1708
006ebb40
SS		 1709 if (mode == PTRACE_MODE_READ) {
1710 struct task_security_struct *tsec = parent->security;
1711 struct task_security_struct *csec = child->security;
1712 return avc_has_perm(tsec->sid, csec->sid,
1713 SECCLASS_FILE, FILE__READ, NULL);
1714 }
1715
0356357c 1716 return task_has_perm(parent, child, PROCESS__PTRACE);
1da177e4
LT		 1717}
1718
1719static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1720 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1721{
1722 int error;
1723
1724 error = task_has_perm(current, target, PROCESS__GETCAP);
1725 if (error)
1726 return error;
1727
1728 return secondary_ops->capget(target, effective, inheritable, permitted);
1729}
1730
1731static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1732 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1733{
1734 int error;
1735
1736 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1737 if (error)
1738 return error;
1739
1740 return task_has_perm(current, target, PROCESS__SETCAP);
1741}
1742
1743static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
828dfe1d 1744 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4
LT		 1745{
1746 secondary_ops->capset_set(target, effective, inheritable, permitted);
1747}
1748
1749static int selinux_capable(struct task_struct *tsk, int cap)
1750{
1751 int rc;
1752
1753 rc = secondary_ops->capable(tsk, cap);
1754 if (rc)
1755 return rc;
1756
828dfe1d 1757 return task_has_capability(tsk, cap);
1da177e4
LT		 1758}
1759
3fbfa981
EB		 1760static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1761{
1762 int buflen, rc;
1763 char *buffer, *path, *end;
1764
1765 rc = -ENOMEM;
828dfe1d 1766 buffer = (char *)__get_free_page(GFP_KERNEL);
3fbfa981
EB		 1767 if (!buffer)
1768 goto out;
1769
1770 buflen = PAGE_SIZE;
1771 end = buffer+buflen;
1772 *--end = '\0';
1773 buflen--;
1774 path = end-1;
1775 *path = '/';
1776 while (table) {
1777 const char *name = table->procname;
1778 size_t namelen = strlen(name);
1779 buflen -= namelen + 1;
1780 if (buflen < 0)
1781 goto out_free;
1782 end -= namelen;
1783 memcpy(end, name, namelen);
1784 *--end = '/';
1785 path = end;
1786 table = table->parent;
1787 }
b599fdfd
EB		 1788 buflen -= 4;
1789 if (buflen < 0)
1790 goto out_free;
1791 end -= 4;
1792 memcpy(end, "/sys", 4);
1793 path = end;
3fbfa981
EB		 1794 rc = security_genfs_sid("proc", path, tclass, sid);
1795out_free:
1796 free_page((unsigned long)buffer);
1797out:
1798 return rc;
1799}
1800
1da177e4
LT		 1801static int selinux_sysctl(ctl_table *table, int op)
1802{
1803 int error = 0;
1804 u32 av;
1805 struct task_security_struct *tsec;
1806 u32 tsid;
1807 int rc;
1808
1809 rc = secondary_ops->sysctl(table, op);
1810 if (rc)
1811 return rc;
1812
1813 tsec = current->security;
1814
3fbfa981
EB		 1815 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1816 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1da177e4
LT		 1817 if (rc) {
1818 /* Default to the well-defined sysctl SID. */
1819 tsid = SECINITSID_SYSCTL;
1820 }
1821
1822 /* The op values are "defined" in sysctl.c, thereby creating
1823 * a bad coupling between this module and sysctl.c */
828dfe1d 1824 if (op == 001) {
1da177e4
LT		 1825 error = avc_has_perm(tsec->sid, tsid,
1826 SECCLASS_DIR, DIR__SEARCH, NULL);
1827 } else {
1828 av = 0;
1829 if (op & 004)
1830 av |= FILE__READ;
1831 if (op & 002)
1832 av |= FILE__WRITE;
1833 if (av)
1834 error = avc_has_perm(tsec->sid, tsid,
1835 SECCLASS_FILE, av, NULL);
828dfe1d 1836 }
1da177e4
LT		 1837
1838 return error;
1839}
1840
1841static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1842{
1843 int rc = 0;
1844
1845 if (!sb)
1846 return 0;
1847
1848 switch (cmds) {
828dfe1d
EP		 1849 case Q_SYNC:
1850 case Q_QUOTAON:
1851 case Q_QUOTAOFF:
1852 case Q_SETINFO:
1853 case Q_SETQUOTA:
1854 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1855 NULL);
1856 break;
1857 case Q_GETFMT:
1858 case Q_GETINFO:
1859 case Q_GETQUOTA:
1860 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1861 NULL);
1862 break;
1863 default:
1864 rc = 0; /* let the kernel handle invalid cmds */
1865 break;
1da177e4
LT		 1866 }
1867 return rc;
1868}
1869
1870static int selinux_quota_on(struct dentry *dentry)
1871{
1872 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1873}
1874
1875static int selinux_syslog(int type)
1876{
1877 int rc;
1878
1879 rc = secondary_ops->syslog(type);
1880 if (rc)
1881 return rc;
1882
1883 switch (type) {
828dfe1d
EP		 1884 case 3: /* Read last kernel messages */
1885 case 10: /* Return size of the log buffer */
1886 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1887 break;
1888 case 6: /* Disable logging to console */
1889 case 7: /* Enable logging to console */
1890 case 8: /* Set level of messages printed to console */
1891 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1892 break;
1893 case 0: /* Close log */
1894 case 1: /* Open log */
1895 case 2: /* Read from log */
1896 case 4: /* Read/clear last kernel messages */
1897 case 5: /* Clear ring buffer */
1898 default:
1899 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1900 break;
1da177e4
LT		 1901 }
1902 return rc;
1903}
1904
1905/*
1906 * Check that a process has enough memory to allocate a new virtual
1907 * mapping. 0 means there is enough memory for the allocation to
1908 * succeed and -ENOMEM implies there is not.
1909 *
1910 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1911 * if the capability is granted, but __vm_enough_memory requires 1 if
1912 * the capability is granted.
1913 *
1914 * Do not audit the selinux permission check, as this is applied to all
1915 * processes that allocate mappings.
1916 */
34b4e4aa 1917static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1918{
1919 int rc, cap_sys_admin = 0;
1920 struct task_security_struct *tsec = current->security;
1921
1922 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1923 if (rc == 0)
1924 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2c3c05db
SS		 1925 SECCLASS_CAPABILITY,
1926 CAP_TO_MASK(CAP_SYS_ADMIN),
1927 0,
1928 NULL);
1da177e4
LT		 1929
1930 if (rc == 0)
1931 cap_sys_admin = 1;
1932
34b4e4aa 1933 return __vm_enough_memory(mm, pages, cap_sys_admin);
1da177e4
LT		 1934}
1935
0356357c
RM		 1936/**
1937 * task_tracer_task - return the task that is tracing the given task
1938 * @task: task to consider
1939 *
1940 * Returns NULL if noone is tracing @task, or the &struct task_struct
1941 * pointer to its tracer.
1942 *
1943 * Must be called under rcu_read_lock().
1944 */
1945static struct task_struct *task_tracer_task(struct task_struct *task)
1946{
1947 if (task->ptrace & PT_PTRACED)
1948 return rcu_dereference(task->parent);
1949 return NULL;
1950}
1951
1da177e4
LT		 1952/* binprm security operations */
1953
1954static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1955{
1956 struct bprm_security_struct *bsec;
1957
89d155ef 1958 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1da177e4
LT		 1959 if (!bsec)
1960 return -ENOMEM;
1961
1da177e4
LT		 1962 bsec->sid = SECINITSID_UNLABELED;
1963 bsec->set = 0;
1964
1965 bprm->security = bsec;
1966 return 0;
1967}
1968
1969static int selinux_bprm_set_security(struct linux_binprm *bprm)
1970{
1971 struct task_security_struct *tsec;
3d5ff529 1972 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1da177e4
LT		 1973 struct inode_security_struct *isec;
1974 struct bprm_security_struct *bsec;
1975 u32 newsid;
1976 struct avc_audit_data ad;
1977 int rc;
1978
1979 rc = secondary_ops->bprm_set_security(bprm);
1980 if (rc)
1981 return rc;
1982
1983 bsec = bprm->security;
1984
1985 if (bsec->set)
1986 return 0;
1987
1988 tsec = current->security;
1989 isec = inode->i_security;
1990
1991 /* Default to the current task SID. */
1992 bsec->sid = tsec->sid;
1993
28eba5bf 1994 /* Reset fs, key, and sock SIDs on execve. */
1da177e4 1995 tsec->create_sid = 0;
28eba5bf 1996 tsec->keycreate_sid = 0;
42c3e03e 1997 tsec->sockcreate_sid = 0;
1da177e4
LT		 1998
1999 if (tsec->exec_sid) {
2000 newsid = tsec->exec_sid;
2001 /* Reset exec SID on execve. */
2002 tsec->exec_sid = 0;
2003 } else {
2004 /* Check for a default transition on this program. */
2005 rc = security_transition_sid(tsec->sid, isec->sid,
828dfe1d 2006 SECCLASS_PROCESS, &newsid);
1da177e4
LT		 2007 if (rc)
2008 return rc;
2009 }
2010
2011 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2012 ad.u.fs.path = bprm->file->f_path;
1da177e4 2013
3d5ff529 2014 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1da177e4
LT		 2015 newsid = tsec->sid;
2016
828dfe1d 2017 if (tsec->sid == newsid) {
1da177e4
LT		 2018 rc = avc_has_perm(tsec->sid, isec->sid,
2019 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2020 if (rc)
2021 return rc;
2022 } else {
2023 /* Check permissions for the transition. */
2024 rc = avc_has_perm(tsec->sid, newsid,
2025 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2026 if (rc)
2027 return rc;
2028
2029 rc = avc_has_perm(newsid, isec->sid,
2030 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031 if (rc)
2032 return rc;
2033
2034 /* Clear any possibly unsafe personality bits on exec: */
2035 current->personality &= ~PER_CLEAR_ON_SETID;
2036
2037 /* Set the security field to the new SID. */
2038 bsec->sid = newsid;
2039 }
2040
2041 bsec->set = 1;
2042 return 0;
2043}
2044
828dfe1d 2045static int selinux_bprm_check_security(struct linux_binprm *bprm)
1da177e4
LT		 2046{
2047 return secondary_ops->bprm_check_security(bprm);
2048}
2049
2050
828dfe1d 2051static int selinux_bprm_secureexec(struct linux_binprm *bprm)
1da177e4
LT		 2052{
2053 struct task_security_struct *tsec = current->security;
2054 int atsecure = 0;
2055
2056 if (tsec->osid != tsec->sid) {
2057 /* Enable secure mode for SIDs transitions unless
2058 the noatsecure permission is granted between
2059 the two SIDs, i.e. ahp returns 0. */
2060 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2061 SECCLASS_PROCESS,
2062 PROCESS__NOATSECURE, NULL);
2063 }
2064
2065 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2066}
2067
2068static void selinux_bprm_free_security(struct linux_binprm *bprm)
2069{
9a5f04bf 2070 kfree(bprm->security);
1da177e4 2071 bprm->security = NULL;
1da177e4
LT		 2072}
2073
2074extern struct vfsmount *selinuxfs_mount;
2075extern struct dentry *selinux_null;
2076
2077/* Derived from fs/exec.c:flush_old_files. */
828dfe1d 2078static inline void flush_unauthorized_files(struct files_struct *files)
1da177e4
LT		 2079{
2080 struct avc_audit_data ad;
2081 struct file *file, *devnull = NULL;
b20c8122 2082 struct tty_struct *tty;
badf1662 2083 struct fdtable *fdt;
1da177e4 2084 long j = -1;
24ec839c 2085 int drop_tty = 0;
1da177e4 2086
b20c8122 2087 mutex_lock(&tty_mutex);
24ec839c 2088 tty = get_current_tty();
1da177e4
LT		 2089 if (tty) {
2090 file_list_lock();
2f512016 2091 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1da177e4
LT		 2092 if (file) {
2093 /* Revalidate access to controlling tty.
2094 Use inode_has_perm on the tty inode directly rather
2095 than using file_has_perm, as this particular open
2096 file may belong to another process and we are only
2097 interested in the inode-based check here. */
3d5ff529 2098 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2099 if (inode_has_perm(current, inode,
2100 FILE__READ | FILE__WRITE, NULL)) {
24ec839c 2101 drop_tty = 1;
1da177e4
LT		 2102 }
2103 }
2104 file_list_unlock();
2105 }
b20c8122 2106 mutex_unlock(&tty_mutex);
98a27ba4
EB		 2107 /* Reset controlling tty. */
2108 if (drop_tty)
2109 no_tty();
1da177e4
LT		 2110
2111 /* Revalidate access to inherited open files. */
2112
828dfe1d 2113 AVC_AUDIT_DATA_INIT(&ad, FS);
1da177e4
LT		 2114
2115 spin_lock(&files->file_lock);
2116 for (;;) {
2117 unsigned long set, i;
2118 int fd;
2119
2120 j++;
2121 i = j * __NFDBITS;
badf1662 2122 fdt = files_fdtable(files);
bbea9f69 2123 if (i >= fdt->max_fds)
1da177e4 2124 break;
badf1662 2125 set = fdt->open_fds->fds_bits[j];
1da177e4
LT		 2126 if (!set)
2127 continue;
2128 spin_unlock(&files->file_lock);
828dfe1d 2129 for ( ; set ; i++, set >>= 1) {
1da177e4
LT		 2130 if (set & 1) {
2131 file = fget(i);
2132 if (!file)
2133 continue;
2134 if (file_has_perm(current,
2135 file,
2136 file_to_av(file))) {
2137 sys_close(i);
2138 fd = get_unused_fd();
2139 if (fd != i) {
2140 if (fd >= 0)
2141 put_unused_fd(fd);
2142 fput(file);
2143 continue;
2144 }
2145 if (devnull) {
095975da 2146 get_file(devnull);
1da177e4
LT		 2147 } else {
2148 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
fc5d81e6
AM		 2149 if (IS_ERR(devnull)) {
2150 devnull = NULL;
1da177e4
LT		 2151 put_unused_fd(fd);
2152 fput(file);
2153 continue;
2154 }
2155 }
2156 fd_install(fd, devnull);
2157 }
2158 fput(file);
2159 }
2160 }
2161 spin_lock(&files->file_lock);
2162
2163 }
2164 spin_unlock(&files->file_lock);
2165}
2166
2167static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2168{
2169 struct task_security_struct *tsec;
2170 struct bprm_security_struct *bsec;
2171 u32 sid;
2172 int rc;
2173
2174 secondary_ops->bprm_apply_creds(bprm, unsafe);
2175
2176 tsec = current->security;
2177
2178 bsec = bprm->security;
2179 sid = bsec->sid;
2180
2181 tsec->osid = tsec->sid;
2182 bsec->unsafe = 0;
2183 if (tsec->sid != sid) {
2184 /* Check for shared state. If not ok, leave SID
2185 unchanged and kill. */
2186 if (unsafe & LSM_UNSAFE_SHARE) {
2187 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2188 PROCESS__SHARE, NULL);
2189 if (rc) {
2190 bsec->unsafe = 1;
2191 return;
2192 }
2193 }
2194
2195 /* Check for ptracing, and update the task SID if ok.
2196 Otherwise, leave SID unchanged and kill. */
2197 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
0356357c
RM		 2198 struct task_struct *tracer;
2199 struct task_security_struct *sec;
2200 u32 ptsid = 0;
2201
2202 rcu_read_lock();
2203 tracer = task_tracer_task(current);
2204 if (likely(tracer != NULL)) {
2205 sec = tracer->security;
2206 ptsid = sec->sid;
2207 }
2208 rcu_read_unlock();
2209
2210 if (ptsid != 0) {
2211 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2212 PROCESS__PTRACE, NULL);
2213 if (rc) {
2214 bsec->unsafe = 1;
2215 return;
2216 }
1da177e4
LT		 2217 }
2218 }
2219 tsec->sid = sid;
2220 }
2221}
2222
2223/*
2224 * called after apply_creds without the task lock held
2225 */
2226static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2227{
2228 struct task_security_struct *tsec;
2229 struct rlimit *rlim, *initrlim;
2230 struct itimerval itimer;
2231 struct bprm_security_struct *bsec;
2232 int rc, i;
2233
2234 tsec = current->security;
2235 bsec = bprm->security;
2236
2237 if (bsec->unsafe) {
2238 force_sig_specific(SIGKILL, current);
2239 return;
2240 }
2241 if (tsec->osid == tsec->sid)
2242 return;
2243
2244 /* Close files for which the new task SID is not authorized. */
2245 flush_unauthorized_files(current->files);
2246
2247 /* Check whether the new SID can inherit signal state
2248 from the old SID. If not, clear itimers to avoid
2249 subsequent signal generation and flush and unblock
2250 signals. This must occur _after_ the task SID has
2251 been updated so that any kill done after the flush
2252 will be checked against the new SID. */
2253 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2254 PROCESS__SIGINH, NULL);
2255 if (rc) {
2256 memset(&itimer, 0, sizeof itimer);
2257 for (i = 0; i < 3; i++)
2258 do_setitimer(i, &itimer, NULL);
2259 flush_signals(current);
2260 spin_lock_irq(&current->sighand->siglock);
2261 flush_signal_handlers(current, 1);
2262 sigemptyset(&current->blocked);
2263 recalc_sigpending();
2264 spin_unlock_irq(&current->sighand->siglock);
2265 }
2266
4ac212ad
SS		 2267 /* Always clear parent death signal on SID transitions. */
2268 current->pdeath_signal = 0;
2269
1da177e4
LT		 2270 /* Check whether the new SID can inherit resource limits
2271 from the old SID. If not, reset all soft limits to
2272 the lower of the current task's hard limit and the init
2273 task's soft limit. Note that the setting of hard limits
2274 (even to lower them) can be controlled by the setrlimit
2275 check. The inclusion of the init task's soft limit into
2276 the computation is to avoid resetting soft limits higher
2277 than the default soft limit for cases where the default
2278 is lower than the hard limit, e.g. RLIMIT_CORE or
2279 RLIMIT_STACK.*/
2280 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2281 PROCESS__RLIMITINH, NULL);
2282 if (rc) {
2283 for (i = 0; i < RLIM_NLIMITS; i++) {
2284 rlim = current->signal->rlim + i;
2285 initrlim = init_task.signal->rlim+i;
828dfe1d 2286 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
1da177e4
LT		 2287 }
2288 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2289 /*
2290 * This will cause RLIMIT_CPU calculations
2291 * to be refigured.
2292 */
2293 current->it_prof_expires = jiffies_to_cputime(1);
2294 }
2295 }
2296
2297 /* Wake up the parent if it is waiting so that it can
2298 recheck wait permission to the new task SID. */
2299 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2300}
2301
2302/* superblock security operations */
2303
2304static int selinux_sb_alloc_security(struct super_block *sb)
2305{
2306 return superblock_alloc_security(sb);
2307}
2308
2309static void selinux_sb_free_security(struct super_block *sb)
2310{
2311 superblock_free_security(sb);
2312}
2313
2314static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2315{
2316 if (plen > olen)
2317 return 0;
2318
2319 return !memcmp(prefix, option, plen);
2320}
2321
2322static inline int selinux_option(char *option, int len)
2323{
832cbd9a
EP		 2324 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2325 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2326 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2327 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
1da177e4
LT		 2328}
2329
2330static inline void take_option(char **to, char *from, int *first, int len)
2331{
2332 if (!*first) {
2333 **to = ',';
2334 *to += 1;
3528a953 2335 } else
1da177e4
LT		 2336 *first = 0;
2337 memcpy(*to, from, len);
2338 *to += len;
2339}
2340
828dfe1d
EP		 2341static inline void take_selinux_option(char **to, char *from, int *first,
2342 int len)
3528a953
CO		 2343{
2344 int current_size = 0;
2345
2346 if (!*first) {
2347 **to = '|';
2348 *to += 1;
828dfe1d 2349 } else
3528a953
CO		 2350 *first = 0;
2351
2352 while (current_size < len) {
2353 if (*from != '"') {
2354 **to = *from;
2355 *to += 1;
2356 }
2357 from += 1;
2358 current_size += 1;
2359 }
2360}
2361
e0007529 2362static int selinux_sb_copy_data(char *orig, char *copy)
1da177e4
LT		 2363{
2364 int fnosec, fsec, rc = 0;
2365 char *in_save, *in_curr, *in_end;
2366 char *sec_curr, *nosec_save, *nosec;
3528a953 2367 int open_quote = 0;
1da177e4
LT		 2368
2369 in_curr = orig;
2370 sec_curr = copy;
2371
1da177e4
LT		 2372 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2373 if (!nosec) {
2374 rc = -ENOMEM;
2375 goto out;
2376 }
2377
2378 nosec_save = nosec;
2379 fnosec = fsec = 1;
2380 in_save = in_end = orig;
2381
2382 do {
3528a953
CO		 2383 if (*in_end == '"')
2384 open_quote = !open_quote;
2385 if ((*in_end == ',' && open_quote == 0) ||
2386 *in_end == '\0') {
1da177e4
LT		 2387 int len = in_end - in_curr;
2388
2389 if (selinux_option(in_curr, len))
3528a953 2390 take_selinux_option(&sec_curr, in_curr, &fsec, len);
1da177e4
LT		 2391 else
2392 take_option(&nosec, in_curr, &fnosec, len);
2393
2394 in_curr = in_end + 1;
2395 }
2396 } while (*in_end++);
2397
6931dfc9 2398 strcpy(in_save, nosec_save);
da3caa20 2399 free_page((unsigned long)nosec_save);
1da177e4
LT		 2400out:
2401 return rc;
2402}
2403
2404static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2405{
2406 struct avc_audit_data ad;
2407 int rc;
2408
2409 rc = superblock_doinit(sb, data);
2410 if (rc)
2411 return rc;
2412
828dfe1d 2413 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2414 ad.u.fs.path.dentry = sb->s_root;
1da177e4
LT		 2415 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2416}
2417
726c3342 2418static int selinux_sb_statfs(struct dentry *dentry)
1da177e4
LT		 2419{
2420 struct avc_audit_data ad;
2421
828dfe1d 2422 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2423 ad.u.fs.path.dentry = dentry->d_sb->s_root;
726c3342 2424 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1da177e4
LT		 2425}
2426
828dfe1d 2427static int selinux_mount(char *dev_name,
b5266eb4 2428 struct path *path,
828dfe1d
EP		 2429 char *type,
2430 unsigned long flags,
2431 void *data)
1da177e4
LT		 2432{
2433 int rc;
2434
b5266eb4 2435 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
1da177e4
LT		 2436 if (rc)
2437 return rc;
2438
2439 if (flags & MS_REMOUNT)
b5266eb4 2440 return superblock_has_perm(current, path->mnt->mnt_sb,
828dfe1d 2441 FILESYSTEM__REMOUNT, NULL);
1da177e4 2442 else
b5266eb4 2443 return dentry_has_perm(current, path->mnt, path->dentry,
828dfe1d 2444 FILE__MOUNTON);
1da177e4
LT		 2445}
2446
2447static int selinux_umount(struct vfsmount *mnt, int flags)
2448{
2449 int rc;
2450
2451 rc = secondary_ops->sb_umount(mnt, flags);
2452 if (rc)
2453 return rc;
2454
828dfe1d
EP		 2455 return superblock_has_perm(current, mnt->mnt_sb,
2456 FILESYSTEM__UNMOUNT, NULL);
1da177e4
LT		 2457}
2458
2459/* inode security operations */
2460
2461static int selinux_inode_alloc_security(struct inode *inode)
2462{
2463 return inode_alloc_security(inode);
2464}
2465
2466static void selinux_inode_free_security(struct inode *inode)
2467{
2468 inode_free_security(inode);
2469}
2470
5e41ff9e
SS		 2471static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2472 char **name, void **value,
2473 size_t *len)
2474{
2475 struct task_security_struct *tsec;
2476 struct inode_security_struct *dsec;
2477 struct superblock_security_struct *sbsec;
570bc1c2 2478 u32 newsid, clen;
5e41ff9e 2479 int rc;
570bc1c2 2480 char *namep = NULL, *context;
5e41ff9e
SS		 2481
2482 tsec = current->security;
2483 dsec = dir->i_security;
2484 sbsec = dir->i_sb->s_security;
5e41ff9e
SS		 2485
2486 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2487 newsid = tsec->create_sid;
2488 } else {
2489 rc = security_transition_sid(tsec->sid, dsec->sid,
2490 inode_mode_to_security_class(inode->i_mode),
2491 &newsid);
2492 if (rc) {
2493 printk(KERN_WARNING "%s: "
2494 "security_transition_sid failed, rc=%d (dev=%s "
2495 "ino=%ld)\n",
dd6f953a 2496 __func__,
5e41ff9e
SS		 2497 -rc, inode->i_sb->s_id, inode->i_ino);
2498 return rc;
2499 }
2500 }
2501
296fddf7
EP		 2502 /* Possibly defer initialization to selinux_complete_init. */
2503 if (sbsec->initialized) {
2504 struct inode_security_struct *isec = inode->i_security;
2505 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2506 isec->sid = newsid;
2507 isec->initialized = 1;
2508 }
5e41ff9e 2509
8aad3875 2510 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
25a74f3b
SS		 2511 return -EOPNOTSUPP;
2512
570bc1c2 2513 if (name) {
a02fe132 2514 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
570bc1c2
SS		 2515 if (!namep)
2516 return -ENOMEM;
2517 *name = namep;
2518 }
5e41ff9e 2519
570bc1c2 2520 if (value && len) {
12b29f34 2521 rc = security_sid_to_context_force(newsid, &context, &clen);
570bc1c2
SS		 2522 if (rc) {
2523 kfree(namep);
2524 return rc;
2525 }
2526 *value = context;
2527 *len = clen;
5e41ff9e 2528 }
5e41ff9e 2529
5e41ff9e
SS		 2530 return 0;
2531}
2532
1da177e4
LT		 2533static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2534{
2535 return may_create(dir, dentry, SECCLASS_FILE);
2536}
2537
1da177e4
LT		 2538static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2539{
2540 int rc;
2541
828dfe1d 2542 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
1da177e4
LT		 2543 if (rc)
2544 return rc;
2545 return may_link(dir, old_dentry, MAY_LINK);
2546}
2547
1da177e4
LT		 2548static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2549{
2550 int rc;
2551
2552 rc = secondary_ops->inode_unlink(dir, dentry);
2553 if (rc)
2554 return rc;
2555 return may_link(dir, dentry, MAY_UNLINK);
2556}
2557
2558static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2559{
2560 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2561}
2562
1da177e4
LT		 2563static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2564{
2565 return may_create(dir, dentry, SECCLASS_DIR);
2566}
2567
1da177e4
LT		 2568static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2569{
2570 return may_link(dir, dentry, MAY_RMDIR);
2571}
2572
2573static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2574{
2575 int rc;
2576
2577 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2578 if (rc)
2579 return rc;
2580
2581 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2582}
2583
1da177e4 2584static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
828dfe1d 2585 struct inode *new_inode, struct dentry *new_dentry)
1da177e4
LT		 2586{
2587 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2588}
2589
1da177e4
LT		 2590static int selinux_inode_readlink(struct dentry *dentry)
2591{
2592 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2593}
2594
2595static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2596{
2597 int rc;
2598
828dfe1d 2599 rc = secondary_ops->inode_follow_link(dentry, nameidata);
1da177e4
LT		 2600 if (rc)
2601 return rc;
2602 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2603}
2604
2605static int selinux_inode_permission(struct inode *inode, int mask,
2606 struct nameidata *nd)
2607{
2608 int rc;
2609
2610 rc = secondary_ops->inode_permission(inode, mask, nd);
2611 if (rc)
2612 return rc;
2613
2614 if (!mask) {
2615 /* No permission to check. Existence test. */
2616 return 0;
2617 }
2618
2619 return inode_has_perm(current, inode,
b0c636b9 2620 open_file_mask_to_av(inode->i_mode, mask), NULL);
1da177e4
LT		 2621}
2622
2623static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2624{
2625 int rc;
2626
2627 rc = secondary_ops->inode_setattr(dentry, iattr);
2628 if (rc)
2629 return rc;
2630
2631 if (iattr->ia_valid & ATTR_FORCE)
2632 return 0;
2633
2634 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2635 ATTR_ATIME_SET | ATTR_MTIME_SET))
2636 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2637
2638 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2639}
2640
2641static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2642{
2643 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2644}
2645
8f0cfa52 2646static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
b5376771
SH		 2647{
2648 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2649 sizeof XATTR_SECURITY_PREFIX - 1)) {
2650 if (!strcmp(name, XATTR_NAME_CAPS)) {
2651 if (!capable(CAP_SETFCAP))
2652 return -EPERM;
2653 } else if (!capable(CAP_SYS_ADMIN)) {
2654 /* A different attribute in the security namespace.
2655 Restrict to administrator. */
2656 return -EPERM;
2657 }
2658 }
2659
2660 /* Not an attribute we recognize, so just check the
2661 ordinary setattr permission. */
2662 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2663}
2664
8f0cfa52
DH		 2665static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2666 const void *value, size_t size, int flags)
1da177e4
LT		 2667{
2668 struct task_security_struct *tsec = current->security;
2669 struct inode *inode = dentry->d_inode;
2670 struct inode_security_struct *isec = inode->i_security;
2671 struct superblock_security_struct *sbsec;
2672 struct avc_audit_data ad;
2673 u32 newsid;
2674 int rc = 0;
2675
b5376771
SH		 2676 if (strcmp(name, XATTR_NAME_SELINUX))
2677 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2678
2679 sbsec = inode->i_sb->s_security;
2680 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2681 return -EOPNOTSUPP;
2682
3bd858ab 2683 if (!is_owner_or_cap(inode))
1da177e4
LT		 2684 return -EPERM;
2685
828dfe1d 2686 AVC_AUDIT_DATA_INIT(&ad, FS);
44707fdf 2687 ad.u.fs.path.dentry = dentry;
1da177e4
LT		 2688
2689 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2690 FILE__RELABELFROM, &ad);
2691 if (rc)
2692 return rc;
2693
2694 rc = security_context_to_sid(value, size, &newsid);
12b29f34
SS		 2695 if (rc == -EINVAL) {
2696 if (!capable(CAP_MAC_ADMIN))
2697 return rc;
2698 rc = security_context_to_sid_force(value, size, &newsid);
2699 }
1da177e4
LT		 2700 if (rc)
2701 return rc;
2702
2703 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2704 FILE__RELABELTO, &ad);
2705 if (rc)
2706 return rc;
2707
2708 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
828dfe1d 2709 isec->sclass);
1da177e4
LT		 2710 if (rc)
2711 return rc;
2712
2713 return avc_has_perm(newsid,
2714 sbsec->sid,
2715 SECCLASS_FILESYSTEM,
2716 FILESYSTEM__ASSOCIATE,
2717 &ad);
2718}
2719
8f0cfa52 2720static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
f5269710 2721 const void *value, size_t size,
8f0cfa52 2722 int flags)
1da177e4
LT		 2723{
2724 struct inode *inode = dentry->d_inode;
2725 struct inode_security_struct *isec = inode->i_security;
2726 u32 newsid;
2727 int rc;
2728
2729 if (strcmp(name, XATTR_NAME_SELINUX)) {
2730 /* Not an attribute we recognize, so nothing to do. */
2731 return;
2732 }
2733
12b29f34 2734 rc = security_context_to_sid_force(value, size, &newsid);
1da177e4 2735 if (rc) {
12b29f34
SS		 2736 printk(KERN_ERR "SELinux: unable to map context to SID"
2737 "for (%s, %lu), rc=%d\n",
2738 inode->i_sb->s_id, inode->i_ino, -rc);
1da177e4
LT		 2739 return;
2740 }
2741
2742 isec->sid = newsid;
2743 return;
2744}
2745
8f0cfa52 2746static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
1da177e4 2747{
1da177e4
LT		 2748 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2749}
2750
828dfe1d 2751static int selinux_inode_listxattr(struct dentry *dentry)
1da177e4
LT		 2752{
2753 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2754}
2755
8f0cfa52 2756static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
1da177e4 2757{
b5376771
SH		 2758 if (strcmp(name, XATTR_NAME_SELINUX))
2759 return selinux_inode_setotherxattr(dentry, name);
1da177e4
LT		 2760
2761 /* No one is allowed to remove a SELinux security label.
2762 You can change the label, but all data must be labeled. */
2763 return -EACCES;
2764}
2765
d381d8a9 2766/*
abc69bb6 2767 * Copy the inode security context value to the user.
d381d8a9
JM		 2768 *
2769 * Permission check is handled by selinux_inode_getxattr hook.
2770 */
42492594 2771static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
1da177e4 2772{
42492594
DQ		 2773 u32 size;
2774 int error;
2775 char *context = NULL;
abc69bb6 2776 struct task_security_struct *tsec = current->security;
1da177e4 2777 struct inode_security_struct *isec = inode->i_security;
d381d8a9 2778
8c8570fb
DK		 2779 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2780 return -EOPNOTSUPP;
d381d8a9 2781
abc69bb6
SS		 2782 /*
2783 * If the caller has CAP_MAC_ADMIN, then get the raw context
2784 * value even if it is not defined by current policy; otherwise,
2785 * use the in-core value under current policy.
2786 * Use the non-auditing forms of the permission checks since
2787 * getxattr may be called by unprivileged processes commonly
2788 * and lack of permission just means that we fall back to the
2789 * in-core context value, not a denial.
2790 */
2791 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2792 if (!error)
2793 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2794 SECCLASS_CAPABILITY2,
2795 CAPABILITY2__MAC_ADMIN,
2796 0,
2797 NULL);
2798 if (!error)
2799 error = security_sid_to_context_force(isec->sid, &context,
2800 &size);
2801 else
2802 error = security_sid_to_context(isec->sid, &context, &size);
42492594
DQ		 2803 if (error)
2804 return error;
2805 error = size;
2806 if (alloc) {
2807 *buffer = context;
2808 goto out_nofree;
2809 }
2810 kfree(context);
2811out_nofree:
2812 return error;
1da177e4
LT		 2813}
2814
2815static int selinux_inode_setsecurity(struct inode *inode, const char *name,
828dfe1d 2816 const void *value, size_t size, int flags)
1da177e4
LT		 2817{
2818 struct inode_security_struct *isec = inode->i_security;
2819 u32 newsid;
2820 int rc;
2821
2822 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2823 return -EOPNOTSUPP;
2824
2825 if (!value || !size)
2826 return -EACCES;
2827
828dfe1d 2828 rc = security_context_to_sid((void *)value, size, &newsid);
1da177e4
LT		 2829 if (rc)
2830 return rc;
2831
2832 isec->sid = newsid;
2833 return 0;
2834}
2835
2836static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2837{
2838 const int len = sizeof(XATTR_NAME_SELINUX);
2839 if (buffer && len <= buffer_size)
2840 memcpy(buffer, XATTR_NAME_SELINUX, len);
2841 return len;
2842}
2843
b5376771
SH		 2844static int selinux_inode_need_killpriv(struct dentry *dentry)
2845{
2846 return secondary_ops->inode_need_killpriv(dentry);
2847}
2848
2849static int selinux_inode_killpriv(struct dentry *dentry)
2850{
2851 return secondary_ops->inode_killpriv(dentry);
2852}
2853
713a04ae
AD		 2854static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2855{
2856 struct inode_security_struct *isec = inode->i_security;
2857 *secid = isec->sid;
2858}
2859
1da177e4
LT		 2860/* file security operations */
2861
788e7dd4 2862static int selinux_revalidate_file_permission(struct file *file, int mask)
1da177e4 2863{
7420ed23 2864 int rc;
3d5ff529 2865 struct inode *inode = file->f_path.dentry->d_inode;
1da177e4
LT		 2866
2867 if (!mask) {
2868 /* No permission to check. Existence test. */
2869 return 0;
2870 }
2871
2872 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2873 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2874 mask |= MAY_APPEND;
2875
7420ed23
VY		 2876 rc = file_has_perm(current, file,
2877 file_mask_to_av(inode->i_mode, mask));
2878 if (rc)
2879 return rc;
2880
2881 return selinux_netlbl_inode_permission(inode, mask);
1da177e4
LT		 2882}
2883
788e7dd4
YN		 2884static int selinux_file_permission(struct file *file, int mask)
2885{
2886 struct inode *inode = file->f_path.dentry->d_inode;
2887 struct task_security_struct *tsec = current->security;
2888 struct file_security_struct *fsec = file->f_security;
2889 struct inode_security_struct *isec = inode->i_security;
2890
2891 if (!mask) {
2892 /* No permission to check. Existence test. */
2893 return 0;
2894 }
2895
2896 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2897 && fsec->pseqno == avc_policy_seqno())
2898 return selinux_netlbl_inode_permission(inode, mask);
2899
2900 return selinux_revalidate_file_permission(file, mask);
2901}
2902
1da177e4
LT		 2903static int selinux_file_alloc_security(struct file *file)
2904{
2905 return file_alloc_security(file);
2906}
2907
2908static void selinux_file_free_security(struct file *file)
2909{
2910 file_free_security(file);
2911}
2912
2913static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2914 unsigned long arg)
2915{
242631c4 2916 u32 av = 0;
1da177e4 2917
242631c4
SS		 2918 if (_IOC_DIR(cmd) & _IOC_WRITE)
2919 av |= FILE__WRITE;
2920 if (_IOC_DIR(cmd) & _IOC_READ)
2921 av |= FILE__READ;
2922 if (!av)
2923 av = FILE__IOCTL;
1da177e4 2924
242631c4 2925 return file_has_perm(current, file, av);
1da177e4
LT		 2926}
2927
2928static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2929{
2930#ifndef CONFIG_PPC32
2931 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2932 /*
2933 * We are making executable an anonymous mapping or a
2934 * private file mapping that will also be writable.
2935 * This has an additional check.
2936 */
2937 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2938 if (rc)
2939 return rc;
2940 }
2941#endif
2942
2943 if (file) {
2944 /* read access is always possible with a mapping */
2945 u32 av = FILE__READ;
2946
2947 /* write access only matters if the mapping is shared */
2948 if (shared && (prot & PROT_WRITE))
2949 av |= FILE__WRITE;
2950
2951 if (prot & PROT_EXEC)
2952 av |= FILE__EXECUTE;
2953
2954 return file_has_perm(current, file, av);
2955 }
2956 return 0;
2957}
2958
2959static int selinux_file_mmap(struct file *file, unsigned long reqprot,
ed032189
EP		 2960 unsigned long prot, unsigned long flags,
2961 unsigned long addr, unsigned long addr_only)
1da177e4 2962{
ed032189 2963 int rc = 0;
828dfe1d 2964 u32 sid = ((struct task_security_struct *)(current->security))->sid;
1da177e4 2965
ed032189
EP		 2966 if (addr < mmap_min_addr)
2967 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2968 MEMPROTECT__MMAP_ZERO, NULL);
2969 if (rc || addr_only)
1da177e4
LT		 2970 return rc;
2971
2972 if (selinux_checkreqprot)
2973 prot = reqprot;
2974
2975 return file_map_prot_check(file, prot,
2976 (flags & MAP_TYPE) == MAP_SHARED);
2977}
2978
2979static int selinux_file_mprotect(struct vm_area_struct *vma,
2980 unsigned long reqprot,
2981 unsigned long prot)
2982{
2983 int rc;
2984
2985 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2986 if (rc)
2987 return rc;
2988
2989 if (selinux_checkreqprot)
2990 prot = reqprot;
2991
2992#ifndef CONFIG_PPC32
db4c9641
SS		 2993 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2994 rc = 0;
2995 if (vma->vm_start >= vma->vm_mm->start_brk &&
2996 vma->vm_end <= vma->vm_mm->brk) {
2997 rc = task_has_perm(current, current,
2998 PROCESS__EXECHEAP);
2999 } else if (!vma->vm_file &&
3000 vma->vm_start <= vma->vm_mm->start_stack &&
3001 vma->vm_end >= vma->vm_mm->start_stack) {
3002 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3003 } else if (vma->vm_file && vma->anon_vma) {
3004 /*
3005 * We are making executable a file mapping that has
3006 * had some COW done. Since pages might have been
3007 * written, check ability to execute the possibly
3008 * modified content. This typically should only
3009 * occur for text relocations.
3010 */
3011 rc = file_has_perm(current, vma->vm_file,
3012 FILE__EXECMOD);
3013 }